Here the loginID and password are passed to the MS SQL server without validation or encoding .

Using a secure replacement with SQLParameters as below this attack can be mitigated.string sqlQuery = "select user_id from fsb_users where login_id = @loginID and password = @password";//Assuming you have defined a command called 'cmd'cmd.Parameters.Add(New SQLParameter("@loginID", loginID))cmd.Parameters.Add(New SQLParameter("@password", password))